The Ethics of Mobile Computing for Lawyers
University of Richmond Law School of Law
February 27, 2015
Sharon D. Nelson, Esq. and John W. Simek
President and Vice President, Sensei Enterprises
703-359-0700 www.senseient.com
snelson@senseient.com; jsimek@senseient.com
Attorneys’ Ethical Duties – With an Emphasis on Encryption!
The following materials are excerpts from Encryption Made Simple for Lawyers, to be published
by the American Bar Association in March of 2015 and written by Sharon D. Nelson, Esq., David
G. Ries, Esq. and John W. Simek.
Attorneys’ use of technology presents special ethics challenges, particularly in the
areas of competence and confidentiality. Attorneys also have common law duties
to protect client information and may have contractual and regulatory duties.
These duties to safeguard information relating to clients are minimum standards
with which attorneys are required to comply. Attorneys should aim for even
stronger safeguards as a matter of sound professional practice and client service.
Encryption is now a generally accepted practice in information security for
protection of confidential data. Attorneys should understand encryption and use
it in appropriate situations. All attorneys should use encryption on laptops,
smartphones, tablets and portable media that contain information relating to
clients. They should also make sure that transmissions over wired and wireless
networks are secure, which often requires some form of encryption. In addition,
attorneys should have encryption available for e-mail or secure file transfer and
use it when appropriate. Although most attorneys will need technical assistance
to install and set up encryption, use of encryption after that is generally easy.
Ethics Rules
The duty of competence (ABA Model Rule 1.1) requires attorneys to know what
technology is necessary and how to use it. The duty of confidentiality (ABA Model
Rule 1.6) is one of an attorney’s most fundamental ethical responsibilities.
Together, these rules require attorneys using technology to take competent and
reasonable measures to safeguard information relating to clients. This duty
extends to all use of technology, including computers, mobile devices, networks,
technology outsourcing, and cloud computing and includes use of encryption
where appropriate. This book will help you to decide when encryption may be
appropriate.
Model Rule 1.1 covers the general duty of competence. It provides that “A lawyer
shall provide competent representation to a client.” This “requires the legal
knowledge, skill, thoroughness and preparation reasonably necessary for the
representation.” It includes competence in selecting and using technology. It
requires attorneys who lack the necessary technical competence for security to
consult with qualified people who have the requisite expertise.
Model Rule 1.4, Communications, also applies to attorneys’ use of technology. It
requires appropriate communications with clients “about the means by which the
client's objectives are to be accomplished,” including the use of technology. It
requires keeping the client informed and, depending on the circumstances, may
require obtaining “informed consent.” It requires attorneys, where appropriate,
to discuss with clients the risks of using technology, including e-mail and
electronic communications.
Model Rule 1.6 generally defines the duty of confidentiality. It begins as follows:
A lawyer shall not reveal information relating to the representation
of a client unless the client gives informed consent, the disclosure is
impliedly authorized in order to carry out the representation or the
disclosure is permitted by paragraph (b). . . .
Rule 1.6 broadly requires protection of “information relating to the
representation of a client;” it is not limited to confidential communications and
privileged information. Disclosure of covered information generally requires
express or implied client consent (in the absence of special circumstances like
misconduct by the client).
The ABA Commission on Ethics 20/20 conducted a review of the ABA Model Rules
of Professional Conduct and the U.S. system of lawyer regulation in the context of
advances in technology and global legal practice developments. One of its core
areas of focus was technology and confidentiality. Its Revised Draft Resolutions in
this area were adopted by the ABA at its Annual Meeting in August of 2012.1
The amendments include addition of the following highlighted language to the
Comment to Model Rule 1.1 Competence:
1
See,
www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html.
[8] To maintain the requisite knowledge and skill, a lawyer should
keep abreast of changes in the law and its practice, including the
benefits and risks associated with technology…
The amendments also added the following new subsection (highlighted) to Model
Rule 1.6 Confidentiality of Information:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent
or unauthorized disclosure of, or unauthorized access to, information
relating to the representation of a client.
This requirement covers two areas – inadvertent disclosure and unauthorized
access. Inadvertent disclosure includes threats like leaving a briefcase, laptop, or
smartphone in a taxi or restaurant, sending a confidential e-mail to the wrong
recipient, producing privileged documents or data, or exposing confidential
metadata. Unauthorized access includes threats like hackers, criminals, malware,
and insider threats.
The amendments also include the following changes to Comment [18] to this rule:
Acting Competently to Preserve Confidentiality
[18] Paragraph (c) requires a A lawyer must to act competently to
safeguard information relating to the representation of a client
against unauthorized access by third parties and against inadvertent
or unauthorized disclosure by the lawyer or other persons or entities
who are participating in the representation of the client or who are
subject to the lawyer’s supervision or monitoring. See Rules 1.1, 5.1
and 5.3. The unauthorized access to, or the inadvertent or
unauthorized disclosure of, confidential information does not
constitute a violation of paragraph (c) if the lawyer has made
reasonable efforts to prevent the access or disclosure. Factors to be
considered in determining the reasonableness of the lawyer’s efforts
include the sensitivity of the information, the likelihood of disclosure
if additional safeguards are not employed, the cost of employing
additional safeguards, the difficulty of implementing the safeguards,
and the extent to which the safeguards adversely affect the lawyer’s
ability to represent clients (e.g., by making a device or important
piece of software excessively difficult to use). A client may require
the lawyer to implement special security measures not required by
this Rule or may give informed consent to forego security measures
that would otherwise be required by this Rule. Whether a lawyer
may be required to take additional steps to safeguard a client’s
information in order to comply with other law, such as state and
federal laws that govern data privacy or that impose notification
requirements upon the loss of, or unauthorized access to, electronic
information, is beyond the scope of these Rules.
Significantly, these revisions are clarifications rather than substantive changes.
They add additional detail that is consistent with the then existing rules and
comments, ethics opinions, and generally accepted information security
principles.2
Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistants) was amended
to expand its scope. “Assistants” was expanded to “Assistance,” extending its
coverage to all levels of staff and outsourced services ranging from copying
services to outsourced legal services. This requires attorneys to employ
reasonable safeguards, like due diligence, contractual requirements, supervision,
and monitoring, to ensure that non-lawyers inside and outside a law firm provide
services in compliance with an attorney’s duty of confidentiality.
Ethics Opinions
A number of state ethics opinions have addressed professional responsibility
issues related to security in attorneys’ use of various technologies. Consistent
with the subsequent Ethics 20/20 amendments, they generally require competent
and reasonable safeguards. It is important for attorneys to consult the rules,
comments, and ethics opinions in the relevant jurisdiction(s).
2
“This duty is already described in several existing Comments, but the Commission concluded that, in
light of the pervasive use of technology to store and transmit confidential client information, this
existing obligation should be stated explicitly in the black letter of Model Rule 1.6.” ABA Commission on
Ethics 20/20, Report to Resolution 105A Revised, Introduction (2012).
An early example is State Bar of Arizona, Opinion No. 05-04 (July 2005) (Formal
Opinion of the Committee on the Rules of Professional Conduct). It requires
“competent and reasonable steps to assure that the client’s confidences are not
disclosed to third parties through theft or inadvertence” and “competent and
reasonable measures to assure that the client’s electronic information is not lost
or destroyed.” It further explains that “an attorney must either have the
competence to evaluate the nature of the potential threat to the client’s
electronic files and to evaluate and deploy appropriate computer hardware and
software to accomplish that end, or if the attorney lacks or cannot reasonably
obtain that competence, to retain an expert consultant who does have such
competence.”
Additional examples include New Jersey Advisory Committee on Professional
Ethics, Opinion 701, “Electronic Storage and Access of Client Files” (April, 2006),
State Bar of Arizona, Opinion No. 09-04 (December, 2009): “Confidentiality;
Maintaining Client Files; Electronic Storage; Internet” (Formal Opinion of the
Committee on the Rules of Professional Conduct); State Bar of California, Standing
Committee on Professional Responsibility and Conduct, Formal Opinion No. 2010179 and New York State Bar Association Ethics Opinion 1019, “Confidentiality;
Remote Access to Firm’s Electronic Files,” (August, 2014).
Significantly, California Formal Opinion No. 2010-179 advises attorneys that they
must consider security before using a particular technology in the course of
representing a client. It notes that attorneys “must take appropriate steps to
evaluate,” among other considerations, “the level of security attendant to the use
of that technology, including whether reasonable precautions may be taken when
using the technology to increase the level of security.” The opinion covers use of a
firm-issued laptop and use of public and home wireless networks.
New York Opinion 1019 cautions attorneys to analyze necessary precautions in
the context of current risks:
Cyber-security issues have continued to be a major concern for
lawyers, as cyber-criminals have begun to target lawyers to access
client information, including trade secrets, business plans and
personal data. Lawyers can no longer assume that their document
systems are of no interest to cyber-crooks. That is particularly true
where there is outside access to the internal system by third parties,
including law firm employees working at other firm offices, at home
or when traveling, or clients who have been given access to the firm's
document system.
The opinion leaves it up to attorneys and law firms to determine the
specific precautions that are necessary:
Because of the fact-specific and evolving nature of both technology
and cyber risks, we cannot recommend particular steps that would
constitute reasonable precautions to prevent confidential
information from coming into the hands of unintended recipients,
including the degree of password protection to ensure that persons
who access the system are authorized, the degree of security of the
devices that firm lawyers use to gain access, whether encryption is
required, and the security measures the firm must use to determine
whether there has been any unauthorized access to client
confidential information.
It requires attorneys to either make a determination that the selected
precautions provide reasonable protection, in light of the risks, or to obtain
informed consent from clients after explaining the risks.
There are now multiple ethics opinions on attorneys’ use of cloud computing
services like online file storage and software as a service (SaaS).3 For example,
New York Bar Association Committee on Professional Ethics Opinion 842 “Using
an outside online storage provider to store client confidential information”
(September, 2010), consistent with the general requirements of the ethics
opinions above, concludes:
A lawyer may use an online data storage system to store and back up
client confidential information provided that the lawyer takes
3
The ABA Legal Technology Resource Center has published a summary with links, “Cloud Ethics Opinions
Around the U.S.,” available at
www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/
cloud-ethics-chart.html.
reasonable care to ensure that confidentiality is maintained in a
manner consistent with the lawyer's obligations under Rule 1.6. A
lawyer using an online storage provider should take reasonable care
to protect confidential information, and should exercise reasonable
care to prevent others whose services are utilized by the lawyer from
disclosing or using confidential information of a client. In addition,
the lawyer should stay abreast of technological advances to ensure
that the storage system remains sufficiently advanced to protect the
client's information, and the lawyer should monitor the changing law
of privilege to ensure that storing information in the "cloud" will not
waive or jeopardize any privilege protecting the information.
Additional examples of opinions covering cloud services are Pennsylvania Bar
Association, Committee on Legal Ethics and Professional Responsibility, Formal
Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud
Computing/Software as a Service While Fulfilling the Duties of Confidentiality and
Preservation of Client Property” (November, 2011) and North Carolina State Bar
2011 Formal Ethics Opinion 6, “Subscribing to Software as a Service While
Fulfilling the Duties of Confidentiality and Preservation of Client Property”
(January, 2012).
The key professional responsibility requirements from these various opinions on
attorneys’ use of technology are competent and reasonable measures to
safeguard client data, including an understanding of limitations in attorneys’
competence, obtaining appropriate assistance, continuing security awareness,
appropriate supervision, and ongoing review as technology, threats and available
security evolve.
Ethics Rules – Electronic Communications
E-mail and electronic communications have become everyday communications
forms for attorneys and other professionals. They are fast, convenient, and
inexpensive, but also present serious risks. It is important for attorneys to
understand and address these risks.
In addition to adding the requirement of reasonable safeguards to protect
confidentiality, the Ethics 2000 revisions to the Model Rules, over 10 years ago,
also added Comment 17 [now 19] to Rule 1.6. This comment requires reasonable
precautions to safeguard and preserve confidential information during electronic
transmission. This Comment, as amended in accordance with the Ethics 20/20
recommendations (highlighted), provides:
[19] When transmitting a communication that includes information
relating to the representation of a client, the lawyer must take
reasonable precautions to prevent the information from coming
into the hands of unintended recipients. This duty, however, does
not require that the lawyer use special security measures if the
method of communication affords a reasonable expectation of
privacy. Special circumstances, however, may warrant special
precautions. Factors to be considered in determining the
reasonableness of the lawyer's expectation of confidentiality include
the sensitivity of the information and the extent to which the
privacy of the communication is protected by law or by a
confidentiality agreement. A client may require the lawyer to
implement special security measures not required by this Rule or
may give informed consent to the use of a means of communication
that would otherwise be prohibited by this Rule. Whether a lawyer
may be required to take additional steps in order to comply with
other law, such as state and federal laws that govern data privacy,
is beyond the scope of these Rules.
This Comment requires attorneys to take “reasonable precautions” to protect the
confidentiality of electronic communications. Its language about “special security
measures” has often been viewed by attorneys as providing that they never need
to use encryption. While it does state that “special security measures” are not
generally required, it contains qualifications and notes that “special
circumstances” may warrant “special precautions.” It includes the important
qualification - “if the method of communication affords a reasonable
expectation of privacy.” As discussed below, there are questions about whether
Internet e-mail affords a reasonable expectation of privacy.
Ethics Opinions – Electronic Communications
An ABA ethics opinion in 1999 and several state ethics opinions have concluded
that special security measures, like encryption, are not routinely required for
confidential attorney e-mail.4 However, these opinions should be carefully
reviewed because, like Comment 19, they contain qualifications that limit their
general conclusions.
For example, New York Bar Association Committee on Professional Ethics Opinion
709 “Use of Internet to advertise and to conduct law practice focusing on
trademarks; use of Internet e-mail; use of trade names” (September, 1998)
concludes:
We therefore conclude that lawyers may in ordinary circumstances
utilize unencrypted Internet e-mail to transmit confidential
information without breaching their duties of confidentiality … to
their clients, as the technology is in use today. Despite this general
conclusion, lawyers must always act reasonably in choosing to use email for confidential communications, as with any other means of
communication. Thus, in circumstances in which a lawyer is on notice
for a specific reason that a particular e-mail transmission is at
heightened risk of interception, or where the confidential
information at issue is of such an extraordinarily sensitive nature that
it is reasonable to use only a means of communication that is
completely under the lawyer's control, the lawyer must select a more
secure means of communication than unencrypted Internet e-mail.
4
E.g., ABA Formal Opinion No. 99-413, Protecting the Confidentiality of Unencrypted E-Mail (March 10,
1999) (“based upon current technology and law as we are informed of it …a lawyer sending confidential
client information by unencrypted e-mail does not violate Model Rule 1.6(a)…” “…this opinion does not,
however, diminish a lawyer's obligation to consider with her client the sensitivity of the communication,
the costs of its disclosure, and the relative security of the contemplated medium of communication.
Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive
matters.”) and District of Columbia Bar Opinion 281, “Transmission of Confidential Information by
Electronic Mail,” (February, 1998), (“In most circumstances, transmission of confidential information by
unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession.
However, individual circumstances may require greater means of security.”).
A lawyer who uses Internet e-mail must also stay abreast of this
evolving technology to assess any changes in the likelihood of
interception as well as the availability of improved technologies that
may reduce such risks at reasonable cost. It is also sensible for
lawyers to discuss with clients the risks inherent in the use of
Internet e-mail, and lawyers should abide by the clients’ wishes as to
its use.
As discussed below, security professionals have questioned the security of
unencrypted e-mail for years – comparing it to a postcard that can be easily read.
Consistent with these questions about the security of e-mail, some ethics
opinions express a stronger view that encryption may be required. For example,
New Jersey Opinion 701 (April, 2006), discussed above, notes at the end: “where
a document is transmitted to [the attorney]… by email over the Internet, the
lawyer should password a confidential document (as is now possible in all
common electronic formats, including PDF), since it is not possible to secure the
Internet itself against third party access.”5
California Formal Opinion No. 2010-179, also discussed above, notes that
“encrypting email may be a reasonable step for an attorney in an effort to ensure
the confidentiality of such communications remain so when circumstances call for
it, particularly if the information at issue is highly sensitive and the use of
encryption is not onerous.”
An Iowa opinion on cloud computing suggests the following as one of a series of
questions that attorneys should ask when determining appropriate protection:
“Recognizing that some data will require a higher degree of protection than
others, will I have the ability to encrypt certain data using higher level encryption
tools of my choosing?” Iowa Ethics Opinion 11-01.
The recent Pennsylvania ethics opinion on cloud computing concludes that
“attorneys may use email but must, under appropriate circumstances, take
5
As discussed in Chapter 11, file password protection in some software, like current versions of
Microsoft Office, Adobe Acrobat, and WinZip uses encryption to protect security. It is generally easier to
use than encryption of the e-mail message and attachments. However, the protection can be limited by
use of weak passwords that are easy to break or “crack.”
additional precautions to assure client confidentiality.” It discusses encryption as
an additional precaution that may be required when using services like web mail.
Pennsylvania Formal Opinion 2011-200.
In addition to complying with any legal requirements that apply, the most
prudent approach to the ethical duty of protecting confidentiality is to have an
express understanding with clients (preferably in an engagement letter or other
writing) about the nature of communications that will be (and will not be) sent
electronically and whether or not encryption and other security measures will be
utilized.
It has now reached the point where attorneys should have encryption available
for use in appropriate circumstances. If you doubt this, read the next chapter
carefully and we’ll tell you why.
Common Law Duties
Along with these ethical duties, there are also parallel common law duties defined
by case law in the various states. The Restatement (3rd) of the Law Governing
Lawyers (2000) summarizes this area of the law. See, Section 16(2) on
competence and diligence, Section 16(3) on complying with obligations
concerning client’s confidences, and Chapter 5, “Confidential Client Information.”
Breach of these duties can result in a malpractice action.
There are also instances when lawyers have contractual duties to protect client
data. This is particularly the case for clients in regulated industries, such as health
care and financial services, that have regulatory requirements to protect privacy
and security. Clients are recognizing that law firms may be the weak links in
protecting their confidential information and are increasingly requiring specified
safeguards, providing questionnaires about a law firm’s security and even
requiring security audits.
Laws and Regulations Covering Personal Information
In addition to the ethical and common law duties to protect client information,
various state and federal statutes and regulations require protection of defined
categories of personal information. Some of these apply to lawyers who possess
any specified personal information about their employees, clients, clients’
employees or customers, opposing parties and their employees, or even
witnesses.
At least 12 states now have general information security laws that require
reasonable measures to protect defined categories of personal information
(including Arkansas, California, Connecticut, Illinois, Maryland, Massachusetts,
Nevada, New Jersey, Oregon, Rhode Island, Texas, and Utah). While the scope of
coverage, the specificity of the requirements and the definitions vary among
these laws, “personal information” is usually defined to include general or specific
facts about an identifiable individual. The exceptions tend to be information that
is presumed public and does not have to be protected (e.g., a business address).
The most comprehensive law of this type to date is a Massachusetts law,6 which
applies to “persons who own, license, store or maintain personal information
about a resident of the Commonwealth of Massachusetts.” Covered “personal
information” includes Social Security numbers, driver’s license numbers, stateissued identification card numbers, financial account numbers and credit card
numbers. With its broad coverage of “persons,” this law is likely to be applied to
persons nationwide, including attorneys and law firms, when they have sufficient
contacts with Massachusetts to satisfy personal jurisdiction requirements. It
requires covered persons to “develop, implement, and maintain a comprehensive
information security program that is written in one or more readily accessible
parts and contains administrative, technical, and physical safeguards.”
The implementing regulation7 for the Massachusetts law became effective in
2010. In addition to requiring a risk assessment, the regulation contains detailed
requirements for the information security program and detailed computer system
security requirements. The security requirements include:
•
Encryption of all transmitted records and files containing personal
information that will travel across public networks, and encryption of all
data containing personal information to be transmitted wirelessly; and
6
Mass. Gen. Laws Ch. 93H.
7
201 C.M.R. 17.00
•
Encryption of all personal information stored on laptops or other
portable devices.
Additional system security requirements in the Massachusetts regulation are
secure user authentication, secure access control, reasonable monitoring to
detect unauthorized access, reasonably up-to-date firewall protection, reasonably
up-to-date security software (including current patches and virus definitions), and
education and training of employees.
Nevada also has laws that require “reasonable security measures” and
encryption8 although they are much less detailed than the Massachusetts law.
The legal obligations don’t stop, however, at protecting the confidentiality of
information. Forty-seven states and the District of Columbia and the Virgin Islands
have laws that require notification concerning data breaches (all but Mississippi,
New Mexico and South Dakota). While there are differences in their scope and
requirements, they generally require entities that own, license or possess defined
categories of personally identifiable information about consumers to notify
affected consumers if there is a breach. Like the reasonable security laws, many
of these laws apply to covered information “about” residents of the state. Some
require notice to a state agency in addition to notice to consumers. Most of these
laws have encryption safe harbors, which provide that notice is not required if the
data is encrypted and the decryption key has not been compromised.
At the federal level, an attorney who receives protected individually identifiable
health information (PHI) from a covered entity under the Health Insurance
Portability & Accountability Act (HIPAA) will generally be a “business associate”
and be required to comply with the HIPAA security requirements. The 2009
Healthcare Information Technology and Clinical Health (HITECH) Act enhanced
HIPAA security requirements, extended them directly to business associates, and
added a new breach notification requirement. Encryption is included as an
“addressable” requirement, which means that it or an alternative must be
implemented or a written explanation provided to explain why it is not needed.
See, 45 CFR Parts 160 and 164.
8
Nevada Revised Statutes 603A.210 and 597.970.
Note too that encryption is already required for federal agencies that have
information about individuals on laptops and portable media.9 This requirement
was adopted after a high profile data breach in which a laptop and external drive
were stolen from the car of an employee of the Department of Veterans Affairs,
exposing personal information of approximately 27 million veterans.
The Federal Trade Commission has brought a number of enforcement actions
against businesses based on allegations that they failed to take reasonable
measures to safeguard the privacy and security of personal information about
consumers. In over half of them, settlements required the businesses to employ
additional safeguards, including encryption of personal information in
transmission and storage.10
As encryption becomes a legal requirement in areas like these, it is likely to
become the standard of what is reasonable for lawyers.
Summary of Duties
The ethics rules and common law duties require attorneys to take competent and
reasonable measures to safeguard client data, including an understanding of
limitations in attorneys’ competence, obtaining appropriate assistance,
continuing security awareness, appropriate supervision, and ongoing review as
technology, threats, and available security evolve. These ethical and common law
duties, as well as any applicable contractual and regulatory duties, are minimum
standards of conduct. Attorneys should aim for even stronger safeguards as a
matter of sound professional practice and client service. While the risks of
disciplinary proceedings, malpractice claims, and regulatory actions arising from
security breaches are real, the greatest risks are often dissatisfied clients (or
former clients) and harm to professional reputation.
9
Office of Management and Budget Memorandum M-06-16 (June 23, 2006) (“Encrypt all data on mobile
computers/devices which carry agency data unless the data is determined to be non-sensitive…”)
10
Patricia Bailin, “Study: What FTC Enforcement Actions Teach Us About Features of Reasonable Privacy and Data
Security Practices,” The Privacy Advisor (Sept. 19, 2014), https:privacyassociation.org.
Information Security Basics
Information security is a process to protect the confidentiality, integrity, and
availability of information. Security starts with a risk assessment to identify
anticipated threats to the information assets, including an inventory of
information assets to determine what needs to be protected. The next step is
development and implementation of a comprehensive information security
program to employ reasonable physical, administrative, and technical safeguards
to protect against identified risks. This is the most difficult part of the process. It
must address people, policies and procedures, and technology and include
assignment of responsibility, training, ongoing security awareness, monitoring for
compliance, and periodic review and updating.
The requirement for lawyers is reasonable security, not absolute security. New
Jersey Ethics Opinion 701 states “’[r]easonable care,’ however, does not mean
that the lawyer absolutely and strictly guarantees that the information will be
utterly invulnerable against all unauthorized access. Such a guarantee is
impossible…” Recognizing this concept, the Ethics 20/20 amendments to the
Comment to Rule 1.6 include “…[t]he unauthorized access to, or the inadvertent
or unauthorized disclosure of, confidential information does not constitute a
violation of paragraph (c) if the lawyer has made reasonable efforts to prevent
the access or disclosure.”
Encryption and Reasonable Safeguards
The greatest challenge for lawyers in establishing information security programs is
deciding what security measures are necessary and then implementing them.
Determining what constitute “competent and reasonable measures” can be
difficult. The Ethics 20/20 amendments provide some high level guidance in
Comment 18 to Rule 1.6. As discussed above, the following factors are applied for
determining reasonable and competent safeguards:
Factors to be considered in determining the reasonableness of the
lawyer’s efforts include the sensitivity of the information, the
likelihood of disclosure if additional safeguards are not employed,
the cost of employing additional safeguards, the difficulty of
implementing the safeguards, and the extent to which the safeguards
adversely affect the lawyer’s ability to represent clients (e.g., by
making a device or important piece of software excessively difficult
to use).
Weighing of these factors supports the use of encryption by attorneys, where
appropriate, particularly for highly sensitive data. There has been growing
recognition of the risk of exposure of unencrypted data, particularly during
transmission and on mobile and portable devices. At the same time, there has
been increasing availability of inexpensive and easy-to-use encryption solutions.
Mobile Devices
Protection of laptops, smartphones, tablets, and other mobile devices presents a
good example of application of the requirement of “reasonable efforts” to a
specific category of technology. Mobile devices present a great security risk
because they can be easily lost or stolen. The Verizon 2014 Data Breach
Investigation Report (covering 2013) explains the risk and a solution to it –
encryption – this way:11
PHYSICAL THEFT AND LOSS
RECOMMENDED CONTROLS
The primary root cause of incidents in this pattern is carelessness of
one degree or another. Accidents happen. People lose stuff. People
steal stuff. And that’s never going to change. But there are a few
things you can do to mitigate that risk.
Encrypt devices.
Considering the high frequency of lost assets, encryption is as close
to a no-brainer solution as it gets for this incident pattern. Sure, the
asset is still missing, but at least it will save a lot of worry,
embarrassment, and potential lawsuits by simply being able to say
the information within it was protected. …
11
www.verizonenterprise.com/DBIR/2014/.
(Emphasis added.)
It’s not just Verizon, this view is widely held by information security professionals
and government agencies. While each attorney and law firm have to determine
what is reasonable in their circumstances, this raises the question, does failure to
use encryption for mobile devices - a no-brainer solution – comply with the duty
to employ reasonable safeguards?
E-mail
E-mail is another good example for application of this analysis. There are serious
questions about the confidentiality of Internet e-mail. Respected security
professionals for years have compared e-mail to postcards or postcards written in
pencil.12 A June 2014 post by Google on the Google Official Blog13 and a July 2014
New York Times article14 use the same analogy – comparing unencrypted e-mails
to postcards. Encryption is being increasingly required in areas like banking and
health care. Recent laws in Nevada15 and Massachusetts16 (which apply to
12
E.g., B. Schneier, E-Mail Security - How to Keep Your Electronic Messages Private, (John Wiley & Sons,
Inc. 1995) p. 3; B. Schneier, Secrets & Lies: Digital Security in a Networked Work, (John Wiley & Sons, Inc.
2000) p. 200 ("The common metaphor for Internet e-mail is postcards: Anyone – letter carriers, mail
sorters, nosy delivery truck drivers - who can touch the postcard can read what's on the back."); and
Larry Rogers, Email – A Postcard Written in Pencil, Special Report, (Software Engineering Institute,
Carnegie Mellon University 2001).
13
“Transparency Report: Protecting Emails as They Travel Across the Web,” Google Official Blog (June 3,
2014) (“…we send important messages in sealed envelopes, rather than on postcards. …Email works in a
similar way. Emails that are encrypted as they’re routed from sender to receiver are like sealed
envelopes, and less vulnerable to snooping—whether by bad actors or through government
surveillance—than postcards.”)
http://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html.
14
Molly Wood, “Easier Ways to Protect Email From Unwanted Prying Eyes,” New York Times (July 16,
2014) (“Security experts say email is a lot more like a postcard than a letter inside an envelope, and
almost anyone can read it while the note is in transit. The government can probably read your email, as
can hackers and your employer.”)
www.nytimes.com/2014/07/17/technology/personaltech/ways-to-protect-your-email-after-you-sendit.html?r=0.
15
Nev. Rev. Stat. 603A.010, et seq.
16
Mass. Gen. Laws Ch. 93H, regulations at 201 C.M.R. 17.00.
attorneys as well as others) require defined personal information to be encrypted
when it is electronically transmitted. As the use of encryption grows in areas like
these, it will become difficult for attorneys to demonstrate that confidential client
data needs lesser protection.
Comment [19] to Model 1.6 states that a lawyer is not required to “use special
security measures if the method of communication affords a reasonable
expectation of privacy.” The references above suggest that unencrypted e-mail –
like a post card – does not. The Comment also lists “the extent to which the
privacy of the communication is protected by law” as a factor to be considered.
The federal Electronic Communications Privacy Act makes unauthorized
interception of electronic communications a crime. Some observers have
expressed the view that this should be determinative and attorneys are not
required to use encryption. The better view is to treat legal protection as only one
of the factors to be considered. As discussed above, some of the newer ethics
opinions conclude that encryption may be a reasonable measure that should be
used, particularly for highly sensitive information.
Conclusion
Attorneys have ethical and common law obligations to take competent and
reasonable measures to safeguard information relating to clients. They also often
have contractual and regulatory requirements. Encryption is now a generally
accepted practice in information security for protection of confidential data and is
required by law for some data. In order to comply with their various duties and to
engage in sound professional conduct, attorneys should understand encryption
and have it available for use in appropriate situations.
Encryption for Smartphones and Tablets
The attributes that make smartphones and tablets great productivity tools also
make them risky. They are mobile, compact, powerful, have large storage
capacity, and have multiple avenues of connectivity. But they can be lost or
stolen, hacked, infected by malware, and have their communications intercepted
– all exposing confidential data. As discussed previously, encryption is a “nobrainer” solution that provides strong protection in the event of loss or theft. On
today’s smartphones and tablets, encryption is generally easy to set up and use.
Loss or theft is a great threat. Consumer Reports has estimated that
approximately 3.1 million Americans were victims of smartphone theft during
2012 and that about 1.4 million smartphones were lost and not recovered.17 The
Federal Communications Commission reported in April, 2012 that 30 to 40% of
robberies in major cities in the U.S. involved cell phones.18 The New York Times
reported that over half of the robberies in San Francisco in 2012 involved a
smartphone. It reported one instance when armed robbers asked a woman for
her iPhone, then handed it back when they saw that it wasn’t the latest model.19
Symantec, a leading security company, conducted a limited study in which it
placed 50 “lost” smartphones in public places and tracked what happened to
them.20 It reported that “When a business-connected mobile device is lost, there
is more than an 80 percent chance that an attempt will be made to breach
corporate data and/or networks” and only 50 percent of the finders contacted the
owner and provided contact information.
17
www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-lastyear/index.htm (last updated May 28, 2014). “The Symantec Smartphone Honey Stick Project” (2012).
18
FCC Announcement (April 10, 2012)
www.fcc.gov/document/announcement-new-initiatives-combat-smartphone-and-data-theft.
19
Malia Wollan, “Outsmarting Smartphone Thieves,” New York Times (May 8, 2013).
20
“The Symantec Smartphone Honey Stick Project” (2012).
Secure Setup
Encryption is part of the basic security setup that is generally recommended by
security professionals, device manufacturers and government agencies for
smartphones and tablets. 21 These basic measures include:
 Review and follow the security instructions of the device manufacturer and
carrier. (An important step that is often forgotten or ignored. Most Quick
Start Guides do not adequately address security. See below for references
to some of these Security Guides.)
 Maintain physical control of the device.
 Set a strong password, passphrase, or PIN.
 Set locking after a set number of failed log-on attempts.
 Set automatic logoff after a defined time.
 Encrypt confidential data on the device and any storage card.
(May require 3rd party software on older devices.)
 Provide for protection of data in transit, including secure wired and wireless
connections.
 Disable interfaces that are not being used. (Bluetooth, Wi-Fi, etc.)
 Enable remote location, locking, and wiping of a lost device.
(May require 3rd party software or service.)
 Consider use of 3rd party security applications. (antivirus, encryption,
remote locating and wiping, etc.)
 Backup important data.
 Do not “jailbreak” or “root” a smartphone.
(These actions unlock a phone, including security controls.)
Current iPhones, iPads, Android phones and tablets, BlackBerry devices, and some
Windows mobile phones all have built-in encryption that is easy to use. It’s either
automatic (with a password or PIN) or simply requires turning encryption on.
21
See, Roberto Baldwin, “Don’t Be Silly. Lock Down and Encrypt Your Smartphone,” Wired (October 26,
2014).
Apple has included device encryption since the iPhone 3GS. It’s turned on
automatically when a PIN or password is set. Apple recently announced that
starting with the current iOS 8, it will no longer have access to encryption keys –
they will be stored only on the devices. Apple has stated that this change will
prevent it from decrypting devices for law enforcement and government
agencies. If it works that way, it will provide strong protection unless the PIN or
password can be bypassed. It will not protect backed up data off the device (e.g.,
data synced to the iCloud).
Google Android devices have provided on-device encryption for a number of
years. It has been available with Honeycomb (tablets), Ice Cream Sandwich and
later versions of the operating system. Some later implementations of
Gingerbread also support on-device encryption. Earlier versions require a 3rd
party app for encryption. Google has recently announced that it will no longer
have access to encryption keys. Like iOS, they will be stored only on the phone.
On current Androids, encryption has to be turned on for both the device and
storage cards, a simple setting. With Android Lollipop, which was released in late
2014, encryption is automatically enabled when a PIN, password or pattern is set.
Windows Phone 7 does not support on-device encryption. Windows Phone 8 does
support on-device encryption, but it cannot be turned on by an individual user.
Encryption can only be turned on with Exchange Active Sync or a mobile device
management/enterprise mobility management program on a network. Windows
RT and Windows 8.1 on tablets have encryption enabled by default for devices
that meet published Microsoft technical specifications.
BlackBerry has been considered the “gold standard” for security for years,
including encryption. It takes a simple setting to enable it. It can be enabled on
the device itself or remotely via a BlackBerry Enterprise Server.
The steps for basic secure setup of the common mobile operating systems include
the following.
iPhones
For iPhones, follow the instructions in “Security Features” in “Chapter 3: Basics” in
the iPhone User Guide (iOS 8) (September, 2014). 22
They include:
 In “Settings” > “Touch ID & Passcode” or “Passcode,” turn off “Simple
Passcode.”
(A Simple Passcode enables encryption, but is not recommended
because they are too easy to defeat.)
 Set “Passcode Lock” and choose a strong passcode (enables encryption).
 Set “Auto-Lock.”
 Set “Erase Data” (after 10 failed passcode attempts, securely removes
data).
 Turn on “Find My Phone” (in Mobile Setting or iCloud).
 In iTunes (on the desktop or laptop), turn on “Encrypt iPhone backup.”
In addition,
 Set Siri to off when the phone is passcode locked.23
Encryption is automatically enabled when a PIN or password is set.
iPads
For iPads, follow the instructions in “Security” in “Chapter 3: Basics” in the iPad
User Guide (iOS 8) (September, 2014).24
Recommended security settings include:
 In Settings, General, Passcode Lock:
o Turn off Simple Passcode (allows a complex Passcode longer than 4
numbers).
22
Current version available at http://support.apple.com/manuals. See also, Apple, iOS Security
(February 2014).
23
www.pcworld.com/article/242253/siris_security_hole_the_passcode_is_the_problem.html.
24
Current version available at http://support.apple.com/manuals.







o Select Turn Passcode On and set a strong passcode (requires
Passcode to access iPad and enables Data Protection encryption).
o Set Require Passcode to “immediately” or a short time.
o Turn on Erase Data (erases data after 10 failed attempts to enter
Passcode).
In Settings, General, Auto-Lock, set a short idle time (after which re-entry of
Passcode is required.)
In Settings, iCloud, turn on Find My iPad (allows use of iPhone app or
Internet to display the iPad’s location on a map, to display a screen
message on the iPad, and to remotely lock or wipe the iPad).
In Settings, General, Bluetooth, turn Bluetooth off when you’re not using it.
In Settings, WI-Fi, turn Wi-Fi off when you’re not using it.
When using a wireless network, check for a lock icon – indicating a secured
wireless network. Avoid unsecure wireless networks or take appropriate
precautions to protect your iPad and confidential data. Using a cellular
network is much more secure than using an unsecured wireless network.
For Internet browsing, in Settings, Safari, turn on Fraud Warning and Block
Pop-Ups.
To protect data backed up in iTunes, connect to iTunes, in the iTunes
Summary screen, select Encrypt iPad backup.
Encryption is automatically enabled when a PIN or password is set.
Android
For Android smartphones and tablets, follow the security set up instructions in
the device manufacturer’s manual. 25 They should include:
 Set Screen Lock (password or PIN) (in Settings > Security).
 Set Screen Timeout (in Settings > Security).
 Enable remote locating and remote lock and erase in Android Device
Manager (in Apps > Google Settings).
25
E.g., Google’s encryption instructions for the Nexus phone,
https://support.google.com/nexus/answer/2844831?hl=en
 Encrypt Phone or Tablet (in Settings > Security). Encryption can take an
hour or more when it is enabled for the first time.
CAUTION: Connect the phone or tablet to a charger during the encryption
process when encryption is enabled for the first time. Loss of power during
the encryption process may result in a loss of data. Backup before
encrypting.
ANOTHER CAUTION: On some devices, turning on encryption for the SD
card after the device has been in use will wipe the data on the card. If this is
the case, there will be a warning when encryption is being set up. Pay
attention during the encryption setup process. Users will usually not want
to encrypt the card if the data on it will be erased.
The layout and specific steps can vary with different Android versions and device
manufacturers. This is an example, just making 2 checks to enable encryption –
one for the device and one for the memory card.
Enabling Encryption on Current Androids Requires Checking 2 Boxes
Figure 6.1
BlackBerry
The current version of the BlackBerry operating system is Blackberry 10 OS.
BlackBerry’s robust security features have to be turned on to provide the
available protection. Most law firms and other enterprises that use BlackBerry’s
manage security settings through BlackBerry Enterprise Server. Like other
smartphones, the following security settings should be enabled, in Settings >
Security and Privacy: set a strong PIN or password, set locking after a period of
inactivity, turn on encryption (device and media card), and set up BlackBerry
Protect (for remote locating and wiping).26
Encryption has to be turned on.
Windows
Windows RT is a version of Windows that was designed for tablets and ultranotebooks. It has been used for the Microsoft Surface tablet and for devices by
others like Dell and Asus. It has had limited commercial success. Windows RT
includes encryption called Device Encryption that is automatically enabled when a
user with an administrator account logs on to a Microsoft account. The Surface
Pro 3 uses Windows 8.1. Device Protection is enabled by default on Windows 8.1
devices that have a defined set of hardware specifications, including Surface Pro
3s.
With both Windows RT and 8.1, the user is prompted to save a recovery key
during the set up process. The recovery key may be saved in the user’s Microsoft
account, on a network (like a law firm’s) that is set up to manage Windows mobile
devices, on a portable device, like a USB drive, or printed on paper. This is an
important step because the recovery key will be needed for access if the
password is forgotten and may be needed if there is an operating system failure.
Some users have reported that they have had to use their recovery keys during
upgrades. Consult and follow Microsoft’s instructions for setting up security,
including Device Encryption.
26
Instructions at:
http://docs.blackberry.com/en/smartphone_users/deliverables/47561/als1334342592773.jsp.
Mobile Device Management
In an enterprise environment like a law firm, some form of mobile device
management (MDM) is frequently used in addition to the security measures
applied to each device. MDM is a set of controls that provides for enterprise
control (by IT staff or a service provider) of secure setup and use of mobile
devices. MDM can implement settings or force users to employ security
requirements, like complexity and age of passwords and encryption. MDM can
also be used to locate and wipe lost or stolen devices. The tools can be used for
storing encryption recovery keys and providing alternative administrator access to
encrypted mobile devices. MDM has been evolving into Enterprise Mobility
Management (EMM), which adds features like data protection and application
control. A number of service providers have products and services in this area,
either as a tool for the enterprise to install and operate or as hosted services.
Examples of leading MDM service providers are include AirWatch
(VMware)(www.air-watch.com), Citrix (Xenmobile)(www.citrix.com), Good
Technology (www.good.com), IBM (MaaS360) (www.maas360.com), and
MobilIron (www.mobileiron.com).
While it is not a full-featured MDM solution, Microsoft Exchange ActiveSync can
be used to synchronize Outlook data with mobile devices over a secure SSL
channel and to enforce some security controls, including device encryption.
(www.microsoft.com/exchange/en-us/default.aspx). It can be used to synch
Outlook e-mail, contacts, calendar, and tasks and to require the use of passwords
and encryption. It includes some management capability, but lacks some MDM
functions. For example, its management capability varies by device, its
management tools are fragmented, it lacks built-in reporting, and it does not have
mobile app management capability. Its functionality and support for it in mobile
platforms have been growing over time. Many solo and small firm attorneys use
the limited capabilities of Exchange ActiveSync instead of investing in the more
expensive MDM solutions.
Encrypted Compartment for Law Firm Data
A “compartment,” or sandbox, on a smartphone or tablet is a configuration of the
device that puts enterprise (law firm) apps and data in a separate partition of the
device from personal apps or data. The compartment is encrypted and isolated
from the rest of the device to protect the enterprise apps and data.
Good Technology, a leading MDM service provider, offers strong management
and security for mobile devices. It includes a secure compartment that separates
enterprise application and data from personal ones, encrypts it, and requires a
password for access to the enterprise compartment. It can remotely wipe the
contents of the compartment or all data on the device. It has been certified for
certain uses under the security requirements of the Federal Information
Processing Standard (FIPS) for federal agencies. Other MDM providers have been
adding this capability.
BlackBerry 10 and Samsung Knox have the built-in capability to separate business
and personal apps and data. Business apps and data are contained in a secure
partition that is isolated from the rest of the phone, similar to Good Technology’s
add-on. Samsung devices require a compatible MDM to enable the secure
compartment. Google has announced that Android Lollipop, released late in 2014
will include a feature to separate business and personal data.
Conclusion – Using the “No-Brainer” Solution
Because of the risk and high incidence of loss and theft, smartphones and tablets
present a great danger of compromise of confidential information stored on
them. Fortunately, there’s “a no-brainer” solution-encryption. It’s built into most
modern devices. It just has to be turned on.
Network Security
It is important to protect data in transmission as it moves through the various
networks from your device on the way to its final destination. Data travels over
both wired and wireless networks in packets (distinct groupings of data) with
source and destination information placed at the beginning of the data packet.
Without encryption, it is relatively easy for an attacker to capture and reassemble
packets with a program called a packet sniffer. There are several free packet
sniffers available on the Internet with Wireshark being one of the most popular.
On wired networks, the attacker has to be connected to the network (directly or
remotely). On wireless networks, an attacker just has to be within range of the
network. Protection can be provided by encrypting the data, providing an
encrypted “tunnel” over a network or networks (also known as a Virtual Private
Network, or VPN), or both.
With a network comprised of wire or fiber, you can provide some level of
protection by securing how the media is routed including whether it is encased in
piping, concrete or some other physical protection. That only helps you for the
routes that you install and control. Once it leaves your office network, it is much
harder to provide physical protection.
In contrast, it is hard to protect something you can’t see. At least with a fiber or
wired network, you can visually inspect the network wiring to see if someone is
trying to tap the line. Not so with wireless networks. The radio waves propagate
to areas that are nearly impossible to monitor. So how do we protect these
instances of data in transit? Yet again, encryption is your friend. If we encrypt the
wireless data transmissions, the confidentiality of the data can be protected.
There are various ways to encrypt wireless communications, from the very weak
to the very strong.
A wireless device (e.g. computer, smartphone, tablet) can authenticate to an
access point (think of this as a wireless receiver) in one of two ways. If open
system authentication (OSA) is used, there is no requirement that the wireless
device have a specific cryptographic key to present to the AP. In most cases, the
wireless device only needs the correct SSID (wireless network name). There is no
encryption here, so all the data is in clear text. By default, wireless devices
operate using OSA.
The second way is through shared key authentication (SKA), where the access
point (AP) sends a random value to the wireless device. The wireless device uses
its cryptographic key to encrypt the value and returns it to the AP. The AP
decrypts the information and compares it to the original value. If there is a match,
you get connected.
There are three wireless network encryption standards known as WEP, WPA and
WPA2, which will be discussed below. If you are impatient and don’t want to read
the technical details of each, WPA2 is the only recommended standard.
WEP
Wireless Equivalent Privacy (WEP) is a very common way to encrypt wireless
transmissions. WEP is a standard that adds security to 802.11 wireless networks.
It was ratified in September of 1999. It operates at the data link (layer 2) of the
OSI (Open Systems Interconnection) model (there are 7 total layers). Don’t worry,
there will not be a test concerning the OSI model. All you need to know is that
since WEP works at the lower layer of the model, it does not provide end-to-end
security.
The key thing to know about WEP is that the security is extremely weak and that
there are free tools available to crack the WEP encryption. This means that you
should not use WEP as a protection method for wireless transmissions. If you are
not interested in how WEP works or the specific “failures” of WEP, you can stop
reading this section and jump over to the next encryption method.
There are three core deficiencies of the WEP protocol. The first is the use of static
encryption keys. The WEP protocol uses the RC4 algorithm, which is a streamsymmetric cipher. Symmetric means that the exact same key is used by both the
sender and receiver to encrypt and decrypt the data. The 802.11 standard does
not specify how to automatically update the keys so in most cases the RC4
symmetric keys are never changed. To make matters worse, all of the wireless
devices and access points usually have the same key. This is similar to everyone in
your firm using the same password for network logon. Not a good thing.
The second problem with WEP deals with how initialization vectors (IV) are used.
An initialization vector is a numeric value that is used as a seed value. This value is
used with the symmetric key and the RC4 algorithm to make the encryption
process more variable or random. Having an encryption scheme that is very
random helps to keep the data secure since it would be very difficult to decipher
any patterns. If you can determine the pattern, the bad guys may be able to
understand the encryption process and actually determine the encryption key.
The initialization value and symmetric key are applied to the RC4 algorithm in
order to generate a key stream. Think of the key stream as the flow of data in an
encrypted state.
Not to get too much in the weeds, but there is some binary magic that happens
next which results in ciphertext (encryption). In most of the WEP
implementations, the same installation value vector is used time and time again.
In addition, since the same symmetric key is also typically used, there is no
effective randomness in the data stream. Since the data stream is not random,
thereby having patterns, there is the possibility to reverse-engineer the process to
determine the encryption key. You can then decrypt the data when you are
armed with the encryption key. In fact, many of the free tools that are available
on the Internet do exactly that. AirSnort, aircrack-ng and WEP-Crack are examples
of these cracking tools.
The third issue with WEP has to do with the Integrity Check Value (ICV), which is
essentially a 32-bit check value to see if the data was modified or damaged during
the transmission. The sender and receiver calculate the ICV. The receiver
compares the values and rejects the frame if the values are different. There are
certain situations where an attacker can modify the data and the receiver will not
detect that an alteration to the data occurred. That essentially makes the method
of verifying data integrity worthless.
Hopefully, you can now see why WEP encryption is not an option to protect
wireless transmissions. But what should you do to protect a wireless network?
Read on to learn about other wireless encryption methods.
WPA
In order to address the security flaws with WEP, the wireless standard was
modified. One of the specified changes was known as Wi-Fi Protected Access or
WPA. WPA is sometimes referred to as the draft 802.11i standard and was
available in 2003. An important improvement is the use of Temporal Key Integrity
Protocol (TKIP). With WEP, the encryption key is configured once and used for all
communication packets. TKIP vastly improves this by creating a new dynamic key
for each and every packet transmitted. Remember that effective encryption is
dependent on the randomness of the ciphertext. You can’t get much more
random than changing the key for each packet.
WPA also included improvement in the integrity checking process. WPA uses the
Michael message integrity code (MIC) instead of the ICV used with WEP
encryption. Using a MIC ensures that the receiver can detect if the data from the
sender has been altered. That’s because the MIC is a much stronger message
verification routine than the ICV.
So should you be encrypting wireless networks with WPA? Not so fast. Data
transmitted using WPA encryption was cracked by researchers Erik Tews and
Martin Beck in 2008. They attacked the TKIP in order to expose the data. It’s not
as bad as it sounds. Only the contents of “short” packets were revealed. Others
have used the Tews/Beck research to expand the attacks to WPA and reveal more
of the encrypted contents.
Just like WEP, there are free tools that can be used to attack WPA encryption.
Reaver and aircrack-ng are two such tools. Bottom line…don’t use WPA either.
WPA2
The next generation of WPA was approved by IEEE (Institute of Electrical and
Electronics Engineers) as 802.11i in 2004. The improvement is called WPA2 (Wi-Fi
Protected Access 2) and is also known as Robust Security Network (RSN). The
major change in the encryption scheme is that WPA2 uses the AES (Advanced
Encryption Standard) block cipher, whereas WEP and WPA use the RC4 stream
cipher as described above.
AES is an encryption specification that has been adopted by the U.S. government
and is in use worldwide. It is the successor to DES (Data Encryption Standard). The
AES specification was approved by NIST (National Institute of Standards and
Technology) in 2001. Like RC4, AES is a symmetric key algorithm, which means the
sender and receiver use the same key to encrypt and decrypt the data. A key (no
pun intended) difference is that the block size is 128 bits, but there are three key
lengths available. You can have a key length of 128, 192 or 256 bits.
The recommendation is to use only WPA2 for encrypting wireless networks. The
increased security of the encryption algorithm ensures the confidentiality of the
transmitted data. Make sure you check all your wireless devices and verify that
they are configured for WPA2 encryption. If WPA2 is not available for the
wireless device, get a replacement device.
Configuring your wireless access point or wireless router for WPA2 is very simple
to do. Access the configuration interface for your wireless router. This is normally
done by using a web browser and entering a specific IP address – check your
router’s instructions for the URL. Navigate to the section that deals with wireless
security. You should see something similar to Figure 8.1.
Figure 8.1
Make the selection for WPA2. You’ll also need to enter a passphrase for access to
the wireless network. It is a best practice to make this passphrase complex and
long, which follows the same recommendations as a login password. You will
need to give this passphrase to anyone authorized to access your wireless
network.
Using Wireless Networks
But how do you tell what type of encryption is being used for the wireless
network? Is it WEP, WPA or WPA2? Can you determine the encryption type prior
to connecting? How you access the wireless network properties varies by device
and operating system. We won’t even attempt to speak to wireless access with a
smartphone since there are way too many variants.
If you are using Windows 7, click on the wireless symbol (increasing bars icon to
the right of the muted speaker) in the lower right system tray (Figure 8.2).
Figure 8.2
The available wireless networks will be displayed. Place your mouse over one of
the discovered networks and the network properties will be displayed as in Figure
8.3.
Figure 8.3
Pay particular attention to the Security Type value. As is shown in Figure 8.3, the
wireless network named UNITE-62A7-GUEST is encrypted using WPA2. In case
you are curious, the PSK or Pre-Shared Key is one of two available authentication
methods. PSK is also known as personal mode since it is normally used in home
and small business environments. Displaying the network properties prior to
connection will let you know if you are about to connect to a potentially insecure
wireless network.
If you are running the latest Windows 8.1 version it gets a bit more complicated.
When you bring up the list of networks to attach to and put your cursor over the
network name, the properties of the network are not shown. Only insecure
networks (those with no encryption) will be indicated with an exclamation point
on a shield icon as is shown in Figure 8.4. The wireless networks named “Apple
Network 6a33a1” and “ATFA-guest” are networks with no encryption configured.
If you attempt to connect to one of them, a message shows that “Other people
might be able to see info you send over this network.”
Figure 8.4
You can only determine the method of wireless encryption once you are
connected to the network. Follow these steps to see the wireless network
properties.
1.
2.
3.
4.
Swipe from the right edge and select Settings
Click on or select Change PC settings
Click on or select Network
Click on or select the connected wireless network name.
The Data usage and Properties will be shown for the wireless network. The
encryption method will be shown as the Security type value. The same problem
exists for iOS devices. You cannot determine the encryption type prior to
connection. iOS devices will show the encrypted networks with a lock symbol, but
you cannot determine which type of encryption is utilized. Insecure wireless
networks will not have the lock symbol.
Secure Socket Layer
You may be familiar with secure socket layer (SSL) connections, but perhaps not
familiar with the name of the connection itself. We hope you are familiar with
obtaining a secure connection while surfing the Internet. This would be indicated
if you use https:// (note the “s”, denoting “secure”) as part of the URL. Typically,
website (http://) connections are unsecured and do not provide an encrypted
session as the https:// connections do. SSL connections are not just for websites,
although the largest usage is with https connections. You can use SSL over your
regular network to encrypt the communication stream as well.
Besides providing a secure encrypted connection to a web server, SSL is used to
secure communications to web-based e-mail. Most users will recognize the
https:// connection when accessing their e-mail using Outlook Web Access
(OWA). These are the two most common uses that users are aware of, but there
are a multitude of ways that SSL is used to:
 Secure connection to cloud-based computing platforms for workflow and
virtualization applications.
 Secure online credit card transactions.





Secure transfer of files over https or SFTP (secure FTP).
Secure the exchange of sensitive information online.
Secure hosting control panel logins such as cPanel and Parallels.
Secure web-based e-mail such as Outlook Web Access.
Secure internal intranet traffic used for file sharing and database
connections.
 Secure the connection between the e-mail client and e-mail server such as
the connection between Outlook and an Exchange server.
 Secure network logins and network traffic such as SSL VPNs or applications
like Citrix.
Secure Socket Layer uses the public-private key encryption system, which also
includes the use of a digital certificate. The asymmetric encryption (also known as
public-key cryptography) is used for SSL and is considered to be slower than
symmetric ciphers such as block or stream ciphers. With this type of encryption,
the public key is used to encrypt the data and the private key is used to decrypt
the data to render it in a readable form.
For the propeller head readers out there, SSL uses the RSA asymmetric algorithm.
RSA is named after its inventors, Ron Rivest, Adi Shamir and Leonard Adleman. It
is the most understood, easiest to implement and most popular of the
asymmetric algorithms. RSA is a worldwide de facto standard that can be used for
key exchange, encryption and digital signatures. It was developed at MIT in 1978
and provides authentication in addition to encryption.
The steps to establishing a SSL connection are listed below:
 The client initiates a connection to the server.
 The server sends the server’s certificate to the client.
 The client checks to see if the signing Certificate Authority is in the trusted
list for the browser.
 The client computes a hash of the certificate and compares the message
digest of the certificate by decrypting using the Certificate Authority’s
public key.
 The client checks the validity dates in the certificate.
 The client compares the URL listed in the certificate to the URL in the
browser before extracting the public key.
 The client extracts the server public key from the certificate.
 The client creates a session key (symmetric).
 The client encrypts the session key with the server’s public key and sends it
to the server.
 The server decrypts the session key with the server’s private key.
As you can see, the certificate plays an important role in securing the
communications session. This is why vendors are beginning to reject self-signed
certificates and trust only third party Certificate Authorities. A self-signed
certificate is one where you create the certificate yourself and do not use the
services of a third party provider, which provides some level of independent
identity validation. It is also possible for a hacker to steal the private key from a
digital certificate by infecting the computer with malware. One such example is
where hackers broke into an internal server at Adobe to compromise a digital
certificate, which allowed them to create at least two files that appeared to be
legitimately signed by Adobe. The two files actually contained malware. As a
result, Adobe revoked their certificates and reissued new ones. This is a good time
to remind you that when connecting to a secure website, if you’re presented with
an error message referencing a SSL certificate error or invalid certificate, proceed
with extreme caution or better yet, don’t proceed at all.
As final words, the SSL protocol only protects the data for the connection. It does
not provide security for the data once it is received. This means that the data is
encrypted while it is being transmitted, but once it is received by a computer, the
data is no longer encrypted. After all, it has to be in readable form for the
recipient. This means you have to trust that the receiving party will take steps to
protect the data.
Recent events have uncovered an unfixable flaw in the latest version of SSL. The
attack is named POODLE and uncovers a problem with the way SSL 3.0 handles
encryption using cipher block mode. It is not important that you understand the
technical issues relating to the SSL vulnerability. What’s important to know is that
you should know how to disable SSL for whatever browser that you use, which is
the recommended action. Visit https://zmap.io/sslv3/browsers.html for
instructions to disable SSL for common browsers. You may be thinking…if SSL is
dead then how can you have a secure Internet session? The answer is Transport
Layer Security (TLS), which is discussed in the next section.
TLS
Transport Layer Security is the successor to SSL and is designed to provide secure
communications over the Internet and prevent eavesdropping. The TLS protocol is
made up of two layers. The first layer is the TLS Record Protocol, which “rides” on
top of TCP (Transport Control Protocol), which is one of the components of
Internet traffic. TLS uses symmetric (same key used to encrypt and decrypt)
encryption to ensure that the connection is private. It should be noted that the
TLS Record Protocol can also be used without encryption. We’re not sure why you
would do that, but the specification does allow for it. The TLS Record Protocol is
also used to encapsulate higher level protocols such as the TLS Handshake
Protocol.
The second layer is the TLS Handshake Protocol, which allows authentication
between the client and the server. This layer performs the negotiation of the
encryption algorithm and cryptographic keys before the transmission or receipt of
any data.
TLS is also application protocol independent, which means that higher level
protocols can ride on top of TLS. Therefore, TLS provides a secure encrypted
network communication facility that any software program can take advantage
of. Even though TLS supersedes and extends SSL, it is not interoperable with SSL.
Where do we see TLS used? Many mail systems use TLS to protect the Simple Mail
Transfer Protocol (SMTP), which is used to send e-mail messages. In fact,
Microsoft’s Exchange 2010 has Opportunistic TLS enabled by default. This means
that the initial connection tries to use TLS first to secure the communications. You
can also enable TLS for older versions of Exchange if you want to send secure
e-mail. Besides the default setting for Exchange 2010, Google is now configured
always to use TLS encrypted connections for its Gmail service.
Link Encryption
When dealing with encryption of network communications, link encryption can be
used to encrypt the communication path. When performing link encryption, all of
the data along the communication path is encrypted. This is typically used for
connections such as satellite links, telephone circuits and T3 lines. With link
encryption, not only is the user data encrypted, but so are the headers, trailers,
addresses and routing information of the data packets. This gives you an extra
layer of protection to help fend off packet sniffers and eavesdroppers.
Link encryption is also known as online encryption and is normally used by service
providers in their network protocols. As previously mentioned, all of the
information is encrypted and must be decrypted at each hop in the network to
determine the next destination. Once the next destination is determined, the
packet has to be re-encrypted and sent on its way.
Link encryption is provided by the carrier. While the encryption is normally
provided for the carrier’s internal usage, you can request that the carrier provide
this type of encryption for any service that you may contract for.
End-to-end Encryption
Another form of network encryption is end-to-end encryption. With end-to-end
encryption, the user data is encrypted, but the routing information (e.g. header,
trailer, addresses, etc.) is not encrypted. This means that the various hops in the
network do not have to decrypt the routing information in order to determine the
next destination. This speeds up the handling of data packets, but also means that
hackers can learn more about a captured packet and its destination.
End-to-end encryption usually occurs at the application layer (topmost layer of
the OSI model) of the originating computer. It provides more flexibility for the
user in determining what data should be encrypted and what should not. It is
called end-to-end because the data stays encrypted along its entire journey from
the start to the finish.
If you are concerned with someone determining the path or route of the data
flow, then you would ask the carrier to provide link encryption as mentioned
above. Unless you are dealing with extremely sensitive information and need the
security of link encryption to communicate between two parties, end-to-end
encryption is usually sufficient.
Virtual Private Networks (VPN)
Virtual private networks (VPN) are secure connections that typically travel over
public networks such as the Internet. The VPN sets up an encrypted tunnel
between two points and transmits the data securely through the tunnel.
Effectively, it is a point-to-point connection between two devices. VPNs will allow
the attorney to access the firm’s resources from any location in a secure
encrypted fashion. Think of it as extending your private firm network without
geographic boundaries. Sort of a virtual network cable without the wires.
VPNs are used for remote access or for connecting two sites. When connecting
sites, the VPNs are configured through the router settings at each location. Each
router is configured for such values as the remote IP, the method of encryption,
type of authentication, etc. Many home and small business routers have the
ability to create a VPN tunnel between two locations. Setting up the VPN can be a
little confusing for some and may require the assistance of your IT provider.
Many attorneys will be familiar with using a VPN for remote access to the firm’s
computing resources. You need to configure a VPN server for the host (e.g. law
firm server) and then each remote computer needs to have VPN client software.
Cisco’s VPN software is very commonly used, especially since Cisco routers are
also prevalent in law firm networks. However, Cisco is not the only vendor that
provides VPN software. There are free open source VPN software products and
VPN is even built into the Windows operating system. Finally, you can subscribe
to a VPN service for a monthly fee where they provide the software client to load
on your computer. VPN services from Comodo and LogMeIn Hamachi are popular
third party providers of VPN services.
It is fairly easy to set up a VPN if you are using Windows 7. The simplest way to
get started is to click the Start button and type in VPN in the search box. This will
return a Set up a virtual private network (VPN) connection selection. Once you
have launched the wizard for setting up the VPN continue with the following
steps:
1. In the Internet Address field enter the IP address or the host name (e.g.
vpn.myoffice.com). This value is normally obtained from your network
administrator. Typically it’s the public IP address of your router.
2. You can change the Destination name field to indicate something more
descriptive about the connection. Perhaps entering something like VPN to
Smith, Apple and Green, PLC would be a better choice when naming the
connection.
3. Check the box Don’t connect now; just set it up so I can connect later. This
will save the settings for future use.
4. Click the Next button.
5. The next dialog box is for the logon credentials. If you leave the User name
and Password blank, you will be prompted for them when the connection is
attempted. If you are connecting to your firm’s network, it is suggested that
you fill in the Domain (optional) value. The recommendation is to leave the
User name and Password blank.
6. Click the Create button.
That’s it. When you are ready to connect, just click on the network icon in the
system tray. The networks available for connection will be listed. Select the VPN
network you previously configured.
Figure 8.5
The VPN connection box (Figure 8.5) will be displayed. Fill in the appropriate
logon information and click the Connect button. If the connection fails, click the
Properties button. The most common failure is the type of VPN setting. Normally,
you would leave this set to Automatic. Check with the network administrator to
see if it should be set to PPTP, L2TP/IPSec, SSTP or IKEv2.
VPN setup gets a little more complicated with Windows 8 and 8.1 systems. The
step are similar to a Windows 7 environment, but how you get to the various data
entry fields is different. It is best to get your IT support personnel to setup the
VPN for you. If you are really brave, just Google “how to configure vpn in windows
8.1” and you’ll get lots of suggestions.
RDP
Another secure network communication method is Remote Desktop Protocol
(RDP). RDP is another built-in feature of Windows and is similar to the VPN
connection previously described. RDP is an encrypted network connection that is
similar to a VPN. A VPN sets up a secure encrypted connection as if it were an
encrypted “wire” back to the office network, whereas a RDP connection is more
than just a connection. The RDP session is actually similar to a remote control
scenario like GoToMyPC or LogMeIn. By using Windows RDP you are creating a
desktop connection to the remote site. The computer you are connecting to has
to have RDP sessions enabled in order to accept the inbound connection. To
establish a RDP session, just click on the Remote Desktop Connection icon in the
Accessories folder on a Windows system. Just enter the IP address or host name
and click the Connect button. Enter your login credentials for authentication and
the RDP session will be established.
You will probably need assistance from your IT provider to initially enable RDP
and make sure that you have a fixed IP address to connect to. Dynamic IP
addresses are typically used for home network connections and are not
acceptable for RDP or VPN connections. A static IP address is needed so that you
always connect to the same address. You wouldn’t know where to connect if the
address changes as it does with dynamic IPs.
Summary
We’ve discussed several methods to securely communicate over a network.
When using wireless networks, WPA2 is the recommended encryption method.
Now that SSL is effectively dead, TLS is really your only choice for secure network
communications, especially when using your browser. Finally, encrypted remote
sessions can be achieved using VPNs or RDP sessions.